CVE-2026-48065
Deferred Deferred - Pending Action
Heap Overflow in pam_usb Due to Integer Overflow

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to n_devices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets (armv7l, i686 -- both listed in the project Makefile), the multiplication n_devices * sizeof(t_pusb_device) wraps around size_t, causing xmalloc() to receive a very small size. Because xmalloc() only calls abort() on NULL return, a small-but-non-NULL allocation is accepted, and subsequent array writes overflow the heap. This vulnerability is fixed in 0.9.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-48065
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mcdope pam_usb to 0.9.1 (exc)
mcdope pam_usb From 0.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-48065 vulnerability in pam_usb allows a heap-based buffer overflow on 32-bit systems, potentially leading to high impacts on confidentiality, integrity, and availability of the system.

Because the vulnerability can compromise confidentiality and integrity, it may affect compliance with standards and regulations such as GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, exploitation requires write access to a root-owned configuration file, limiting the attack vector to scenarios where an attacker already has elevated privileges or has exploited other vulnerabilities.

Therefore, while the vulnerability poses a risk to compliance by potentially exposing or corrupting sensitive data, the limited exploitability reduces the likelihood of direct impact under normal secure configurations.

Executive Summary

The vulnerability CVE-2026-48065 in pam_usb involves an integer overflow in heap memory allocation on 32-bit systems. Specifically, the variable n_devices, which counts devices from an XML configuration file, is multiplied by the size of a device structure without an upper bound check. On 32-bit targets, this multiplication can wrap around the size_t type, causing the memory allocator xmalloc() to allocate a much smaller buffer than needed. Since xmalloc() accepts small non-NULL allocations, subsequent writes to this undersized buffer overflow the heap.

This issue occurs only on 32-bit systems like armv7l and i686 and requires write access to the pam_usb configuration file, which is typically root-owned. The vulnerability is fixed by enforcing a maximum device limit (PUSB_MAX_DEVICES) before allocation to prevent the overflow.

Impact Analysis

This vulnerability can lead to a heap-based buffer overflow, which may allow an attacker to corrupt memory, potentially causing crashes, arbitrary code execution, or privilege escalation.

However, exploitation requires write access to the pam_usb configuration file, which is usually restricted to root, limiting the attack surface. The vulnerability affects confidentiality, integrity, and availability, as indicated by its CVSS score of 6.7 with high impact on these aspects.

The exploitability is limited to 32-bit systems, and on 64-bit systems the memory requirements prevent overflow.

Detection Guidance

This vulnerability can be detected by checking the version of pam_usb installed on your system and verifying if it is 0.9.0 or earlier, as these versions are affected.

Additionally, detection involves verifying if the system is running on a 32-bit architecture such as armv7l or i686, since the vulnerability affects only 32-bit targets.

You should also check the permissions and contents of the configuration file /etc/security/pam_usb.conf to see if it is writable by unauthorized users, as exploitation requires write access to this file.

Suggested commands include:

  • Check pam_usb version: `pam_usb --version` or check package version via your package manager.
  • Check system architecture: `uname -m` (look for armv7l or i686).
  • Check permissions on the config file: `ls -l /etc/security/pam_usb.conf`.
  • Inspect the number of device entries in the config file (to detect unusually large n_devices): `grep -c '<device>' /etc/security/pam_usb.conf` or parse the XML config.
Mitigation Strategies

Immediate mitigation steps include upgrading pam_usb to version 0.9.1 or later, where the vulnerability is fixed by enforcing an upper bound on the number of devices allocated.

If upgrading is not immediately possible, ensure that the /etc/security/pam_usb.conf file is secured with strict permissions to prevent unauthorized write access, as exploitation requires the ability to modify this configuration file.

Additionally, limit the number of device entries in the configuration file to a reasonable number to avoid triggering the integer overflow.

Consider applying any available patches or backported fixes that add the PUSB_MAX_DEVICES limit to prevent the overflow.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48065. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart